From d0d6b6d3dc8e31c94cb3c0cab7aecdd835b3836b Mon Sep 17 00:00:00 2001 From: kencx Date: Mon, 19 Jun 2023 23:32:17 +0800 Subject: [PATCH] Require password when modifying account recovery --- .../tildes/templates/settings_account_recovery.jinja2 | 5 +++++ tildes/tildes/views/api/web/user.py | 10 ++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/tildes/tildes/templates/settings_account_recovery.jinja2 b/tildes/tildes/templates/settings_account_recovery.jinja2 index 0323840..b35c3f8 100644 --- a/tildes/tildes/templates/settings_account_recovery.jinja2 +++ b/tildes/tildes/templates/settings_account_recovery.jinja2 @@ -56,6 +56,11 @@ +
+ + +
+
diff --git a/tildes/tildes/views/api/web/user.py b/tildes/tildes/views/api/web/user.py index ef80973..a9b70f3 100644 --- a/tildes/tildes/views/api/web/user.py +++ b/tildes/tildes/views/api/web/user.py @@ -70,13 +70,19 @@ def patch_change_password( request_param="ic-trigger-name=account-recovery-email", permission="change_settings", ) -@use_kwargs(UserSchema(only=("email_address", "email_address_note")), location="form") +@use_kwargs( + UserSchema(only=("email_address", "email_address_note", "password")), + location="form", +) def patch_change_email_address( - request: Request, email_address: str, email_address_note: str + request: Request, email_address: str, email_address_note: str, password: str ) -> Response: """Change the user's email address (and descriptive note).""" user = request.context + if not user.is_correct_password(password): + raise HTTPUnauthorized(body="Incorrect password") + # If the user already has an email address set, we need to retain the previous hash # and description in the log. Otherwise, if an account is compromised and the # attacker changes the email address, we'd have no way to support recovery for the